Make sure neverallow rules also cover other property types

There are now individual property files to control access to properties. Don't allow processes other than init to write to these property files. Change-Id: I184b9df4555ae5051f9a2ba946613c6c5d9d4403

Make sure neverallow rules also cover other property types
45737b9f · Nick Kralevich · 6b65143f · 45737b9f
Commit 45737b9f authored 8 years ago by Nick Kralevich
--- a/domain.te
+++ b/domain.te
@@ -288,9 +288,12 @@ neverallow {

 neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;

-# Only the init property service should write to /data/property.
+# Only the init property service should write to /data/property and /dev/__properties__
 neverallow { domain -init } property_data_file:dir no_w_dir_perms;
 neverallow { domain -init } property_data_file:file no_w_file_perms;
+neverallow { domain -init } property_type:file no_w_file_perms;
+neverallow { domain -init } properties_device:file no_w_file_perms;
+neverallow { domain -init } properties_serial:file no_w_file_perms;

 # Only recovery should be doing writes to /system
 neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set